From bc72a298cc880742b8b96816e40bbf1cd1e710c6 Mon Sep 17 00:00:00 2001
From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com>
Date: Sat, 14 Sep 2019 23:00:06 +0200
Subject: [PATCH] Update Malware analysis 09-09-19.md
---
.../09-09-19/Malware analysis 09-09-19.md | 41 ++++++++++++++-----
1 file changed, 31 insertions(+), 10 deletions(-)
diff --git a/Pakistan/APT/Gorgon/09-09-19/Malware analysis 09-09-19.md b/Pakistan/APT/Gorgon/09-09-19/Malware analysis 09-09-19.md
index 2685635..0048940 100644
--- a/Pakistan/APT/Gorgon/09-09-19/Malware analysis 09-09-19.md
+++ b/Pakistan/APT/Gorgon/09-09-19/Malware analysis 09-09-19.md
@@ -56,9 +56,12 @@
|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
-||||
-||||
-||||
+|Execution|Scheduled Task
Command-Line Interface
Scripting
Execution through API
Mshta|https://attack.mitre.org/techniques/T1053/
https://attack.mitre.org/techniques/T1059/
https://attack.mitre.org/techniques/T1064/
https://attack.mitre.org/techniques/T1106/
https://attack.mitre.org/techniques/T1170/|
+|Persistence|Scheduled Task
Registry Run Keys / Startup Folder|https://attack.mitre.org/techniques/T1053/
https://attack.mitre.org/techniques/T1060/|
+|Privilege Escalation|Scheduled Task|https://attack.mitre.org/techniques/T1053/|
+|Defense Evasion|Scripting
Mshta|https://attack.mitre.org/techniques/T1064/
https://attack.mitre.org/techniques/T1170/|
+|Discovery|Query Registry
System Information Discovery|https://attack.mitre.org/techniques/T1012/
https://attack.mitre.org/techniques/T1082/|
+
## Indicators Of Compromise (IOC)
@@ -66,17 +69,35 @@
| Indicator | Description|
| ------------- |:-------------:|
-|||
-||Domain requested|
-||IP requested|
-||HTTP/HTTPS requests||
-||IP C2|
-||Domain C2|
+|PO # 8872521.xlt|51a0e2aac8a0d7460e2a326a9c372f3d1ba3871e6f365f122f3d72cd271a5a3b|
+|Scan001.xls|0ec07af14a5338805ed45bcc0a90b20811fd0c9b57ab0f5e1cfd97cd1696c1c2|
+|bin2.exe|c04d776b341acb3d02270a4f883c8b08a66b183779dea79c1b7e11f3906ce616|
+|67.199.248.14|IP requested|
+|172.217.22.97|IP requested|
+|67.199.248.10|IP requested|
+|67.199.248.11|IP requested|
+|216.170.126.139|IP C2|
+|bitly.com|Domain requested|
+|sxasxasxssaxxsasxasx.blogspot.com|Domain requested|
+|pastebin.com|Domain requested|
+|http[:]//216.170.126.139/Panel/10/index.php|HTTP/HTTPS requests|
+|http[:]//pastebin.com/raw/BrH6UFRc|HTTP/HTTPS requests|
+|http[:]//bitly.com/6xdfsSXsh6|HTTP/HTTPS requests|
+|http[:]//pastebin.com/raw/UZEbWMK9|HTTP/HTTPS requests|
+|http[:]//pastebin.com/raw/nhcP3XgH|HTTP/HTTPS requests|
+|http[:]//bit.ly/loahsh78bhidasyiuasaaki|HTTP/HTTPS requests|
+|http[:]//pastebin.com/raw/5y7H3LSz|HTTP/HTTPS requests|
+|http[:]//pastebin.com/raw/TqsXJZaM|HTTP/HTTPS requests|
+|http[:]//pastebin.com/raw/3MuLJLWZ|HTTP/HTTPS requests|
+|http[:]//pastebin.com/raw/dkrjWec2|HTTP/HTTPS requests|
+|http[:]//pastebin.com/raw/j8mRken0|HTTP/HTTPS requests|
+|http[:]//pastebin.com/raw/bgTGtxHc|HTTP/HTTPS requests|
+
###### This can be exported as JSON format [Export in JSON]()
## Links
###### Original tweet: [https://twitter.com/Rmy_Reserve/status/1171381881461338112](https://twitter.com/Rmy_Reserve/status/1171381881461338112)
-* [Ref previous analysis:](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/23-08-19/Malware%20analysis%2025-08-19.md)
+###### Ref previous analysis: [Gorgon analysis (25-08-19)](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Pakistan/APT/Gorgon/23-08-19/Malware%20analysis%2025-08-19.md)
###### Links Anyrun:
* [0ec07af14a5338805ed45bcc0a90b20811fd0c9b57ab0f5e1cfd97cd1696c1c2.xls](https://app.any.run/tasks/bb1279af-7fff-4b37-8439-7b303f113082)
* [PO # 8872521.xlt](https://app.any.run/tasks/ff27dd57-9484-4c1c-9a13-6eedf3ede657)